Hi guys, I was digging around the Location APIs available in Android and discovered that it's possible to obtain location data without having proper location credentials.
It's a pretty low-risk exposure and requires a bit of effort to get anything useful, but here it is: An android app can use the LocationManagerService.addGpsStatusListener IPC call to register for GPS status updates that includes the elevation, azimuth, and other details of each of the satellites in range of the GPS receiver. There are no permission checks, so an app can get this data without notifying the user that it's doing it. There are some tricky parts to exploiting this: 1. If your app doesn't have ACCESS_FINE_LOCATION, it can't enable the GPS receiver, and no GPS status updates are available when the GPS receiver isn't on. 2. It's not easy to determine the exact location from the satellite positions. Once a malicious app has the exact time and relative satellite locations from this info leak, it needs to know the absolute position of each of the satellites at that exact time in order to determine the user's location. So realistically, a malicious app has to install a service that waits for some other app to enable the GPS (alternatively, skip the service and just hope the app's process sticks around), then upload the data somewhere where an attacker can download it to calculate the position of the user. There's some more information about how I'm accessing LocationManagerService at http://www.codetastrophe.com/2008/12/accessing-hidden-system-service-apis-in.html Like I said, this is low risk, but I ran into it while digging around so I thought I would share. Here's a patch to fix this in LocationManagerService.java: --- LocationManagerService.java.orig 2008-12-07 14:39:52.000000000 -0500 +++ LocationManagerService.java 2008-12-07 14:40:02.000000000 -0500 @@ -906,6 +906,9 @@ return false; } + if(mContext.checkCallingPermission(ACCESS_FINE_LOCATION) != PackageManager.PERMISSION_GRANTED) + throw new SecurityException("Requires ACCESS_FINE_LOCATION permission"); + try { mGpsLocationProvider.addGpsStatusListener(listener); } catch (RemoteException e) { -jon Jon Larimer [EMAIL PROTECTED]
